examples/fuzz.c: null pointer dereference when there are no args

Question

examples/fuzz.c: null pointer dereference when there are no args

asarubbo opened this issue a year ago · comments

Hello,

this is to let you know that examples/fuzz.c has a null pointer dereference when launched without arguments:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==8717==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fed09b38613 bp 0x000000000000 sp 0x7ffdbc7fd580 T0)
==8717==The signal is caused by a READ memory access.
==8717==Hint: address points to the zero page.
    #0 0x7fed09b38613 in fseek /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/libio/fseek.c:35:3
    #1 0x4dd2a5 in main /root/bzip3/fuzz.c:24:5
    #2 0x7fed09ae71f6 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #3 0x7fed09ae72ab in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../csu/libc-start.c:381:3
    #4 0x41d5c0 in _start (/root/bzip3/bzip_fuzz+0x41d5c0)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/libio/fseek.c:35:3 in fseek
==8717==ABORTING
Aborted

Agostino Sarubbo · Answer 1 · Wed Mar 22 2023 19:09:19 GMT+0800 (China Standard Time)

and a similar issue in examples/decompress-file.c

==34739==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7fe75b500000 at pc 0x000000440631 bp 0x7ffd8dcefd10 sp 0x7ffd8dcef498
READ of size 5 at 0x7fe75b500000 thread T0
    #0 0x440630 in printf_common(void*, char const*, __va_list_tag*) /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.7/work/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:553:9
    #1 0x441a39 in __interceptor_vprintf /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.7/work/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1738:1
    #2 0x441a39 in printf /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.7/work/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1796:1
    #3 0x4dd3c4 in main /root/bzip3/decompress-file.c:12:9
    #4 0x7fe75d4bb1f6 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7fe75d4bb2ab in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../csu/libc-start.c:381:3
    #6 0x41d5c0 in _start (/root/bzip3/bzip3_decompress+0x41d5c0)

Kamila Szewczyk · Answer 2 · Wed Mar 22 2023 20:45:46 GMT+0800 (China Standard Time)

These programs are not meant for the end user.

/* This is just a demonstration of bzip3 library usage, it does not contain all the necessary error checks and will not
 * support cross-endian encoding/decoding. */

Agostino Sarubbo · Answer 3 · Wed Mar 22 2023 20:51:39 GMT+0800 (China Standard Time)

I understand, but I pointed it out because there is a block of code that does not work in the practice:

    if (argc != 3) {
        printf("Usage: %s <input file> <output file>");
        return 1;
    }

So I intended it like a bug.